WPA3 via Unifi APs
-
So I know quite a few people around here use the unifi APs..
Figured drop a little note in case anyone is interested.. With release of their controller 6.1.51 (beta) they have finally enabled wpa3 for most of their AP.. There is a list of all that are supported on their forum post about the release.. Huge list of changes and bug fixes.
The thing that is annoying is from an apple device, iphone/ipad there is no way to see any info about the connection. Is it wpa2, is it wpa3.. etc.. And the controller doesn't tell you - which I hope is a future thing. Be nice to see what devices are using wpa2 vs 3..
But there is a way to get the info, even if a bit of pita on apple devices. You need to install the wifi profile from the developers section.
https://developer.apple.com/bug-reporting/profiles-and-logs/
You have to sign in with your apple id and agree to the developers agreement.. I didn't read it - so maybe your giving up your first born when you click yes ;)
You can then install the profile which adds a diagnostic menu item under your wifi info on your device.
One requirement is your AP need to be using 5.43+ as well.. So make sure your on the latest version for your AP as well if you want to do this. I always run the latest beta of the firmware, which I show as 5.43.24.12539..
What I don't get is why is these diagnostics not available just out of the box.. Its good info! Should just be standard. I think the profile expires in like 30 days so you might have to keep updating it if you want to be able to view this info.. The channel your connected to and the VHT your using along with actual strength, the channel util - the actual BSSID of the AP your connected to - why is this not standard info that is provided.. F'ing apple.. Also where is the actual PHY rate for tx and rx.. That would be great info..
-
no first born here ... and my dog is trained to come back ;)
yeppeeee .... /me startin update now ;)
thx -
While its good to be able to use more secure wifi.. Other shitty thing is so many iot devices don't support it as of yet.. So you have most likely run in in wpa2/wpa3 mode for your iot vlans..
I set my 2 vlans for those sorts of devices to that, but did move my guest to wpa3 only mode. So guess if ever have any guest over again (f'ing covid).. Their devices will have to support it ;)
But this has always been the case when new wifi tech comes out, takes freaking years to be able to get rid of the old tech.. Most iot devices only support 2.4n or even just g.. So you can't just run 5ghz even if you have enough AP to cover everywhere..
I sure don't plan on replacing all my smart lights any time soon ;) Is there any even on the market that do 5ghz and also support wpa3? As of yet?
Maybe the new alexa devices do - have to do a bit of research on that. Since can not tell from the controller what the clients are using for connection.
-
thx for the reminder, same here,
nearly all IoT stuff is on 2,4 ...guest mode is diabled cuz there will be no guests here in the near future (they are discussion lockdown IV soon ;)
i got my favorite IoT device his one access points and his own wifi Net ;)
my lawn robot mower , personally i think he deserves it (2,4Ghz only) ;) -
@noplan said in WPA3 via Unifi APs:
my lawn robot mower
Dude you got any video's of it doing its thing while you sit back and watch with a beer! Would love that...
How well does it work.. I have toyed around with maybe getting one of those ;)
-
i m usin a landroid worx (with cut to edge) with the anti collison system, see pic (so that dog and the droid can play catch (spoiler: dog wins by tappin on the emergency button, pretty annoying for me cuz the droid cant be startet with the app after stopped by emergency)
runs on 2,4Ghz, i used some old unifi outdoor (traded for a bottle of Kona Big Wave beer each)
my feeling, the better the wifi coverage is the less problems if there were any. rain sensor is included in this model, and the spots the droid cant get to (radius to small) i got covered with some plants ;)it works pretty awesome, and the best thing is u only need one line of wire the droid uses the wire to get back home if his shift ends or he needs to recharge, this and cut to edge and maybe the cool look with the ACS was my goto for it
if i really need to voice command it with google .... hmmmm dont know yet.
lookin for some pictures
br NP -
That does look pretty slick!
But at that cost.. Take over 3 years to pay back the cost of just having the landscaping company do it ;)
Would be fun to play with though..
-
yes i got u on this, i never ever calculated and will compare against wage for the landscaping guys.
but i love it commin home, not concerning what the garden looks like,
fire up the webber grill and gettin my steak or beer n burgers, or hang out with whoever comes around ;) i just bougth myself free time, yes i guess that's it. -
I have company just cut the lawn for many many years.. Yeah your time is priceless if you ask me ;)
When first got the house - loved to cut the grass.. Grab a beer, or 2 or 3.. self powered mower so not a lot of effort - just guiding it a bout. Then edging - get some sun.. Then the boys got bigger and had them do it.. But would have to always go over what they missed, and edge.. So really didn't save much time..
And had to pay them.. F'ing wife - isn't the bed they sleep in, the food on the table pay enough for them <hahah>.. But when I got the lawn company to do it - was cheaper than paying the boys to do it. And didn't have to pay for gas for the mower, didn't have to spend time edging..
It was a win win for sure just paying to get it done. But now with toys like that - I miss out on playing with such a cool toy! hehehehe
But the current economics of switching to doing it myself (with a robot) vs just paying the lawn company who's cost has been really stable for many years.. No way I could get that through the budget committee (wife) on that sort of ROI ;)
-
Oh yes I feel ya!
Main problem I see the more area the mower has to cover the more expensive this droids get,
I got my mom 2 of them and still saved moneyShe s happy with Duffy & Buggs but more important I don't have to to it if she s not around ... To earn the son of the month award ;)
But to get the fire and forget version of cuttin the grass there were some hours of blood sweat n tears and no this was not fun cuz beloved wife would not allow to cut trees ore m move plants....
-
@johnpoz Hi John. How's 6.1.51? Looks like a mixed bag from the Ubiquiti Forum. Any big things that standout?
-
For what I am using it for - it works, I got wpa3 enabled..
I don't like the new UI.. Its a freaking ad for dream machine.. WTF? If you don't have a USG you see this nonsense.
I guess could hide that element with the browser.. But come on.. And that windows 10 in the corner - ok I am connected with windows 10 to the gui, but that is not what the controller is running on, etc.
And really don't like how they have changed the settings about in the new ui.. So I just turn off the new ui stuff and use the classic..
How about show some info about the controller on the dashboard - what its running on, cpu/mem/etc..
The dashboard could be really nice if they allowed you to put the info you want on there, that was actually useful.. You can ad some widgets and stuff in the classic setting.. But much of the data is really misleading - and they have issues for sure with metrics. I chased some details on what the F does this mean..
High latency means what? I haven't really found a good answer..
I pretty much use it to make setting changes, and quick simple way to see what devices are connected to what AP, at what connection rates, etc. etc.. But now that they have wap3 enabled - they don't show you if client is using that? I would think this would be great info to include.. Hey did my IOT device connect using wpa3, or maybe I should think about upgrading them.. Or maybe move them to a different ssid that is only wpa2, etc. etc.
But overall it works - I can make the settings I need to make, I can get decent amount of info about clients PHY and which AP.. And see some details of how the AP are running from cpu/mem - what is breakdown of util for different channels, etc.
But it for sure is lacking in areas - why I always run the latest beta.. Hoping it improves ;)
-
@johnpoz Thanks John.
I agree that the dashboard metrics are of limited usefulness, WiFi experience and the stuff in the two boxes on the left. I don't like the big ad but I suppose I should expect such crap from Ubiquiti.
I'll backup my 5.0.x config and do the update. Can always set it to use the "classic" UI. I see that with 5.1.x the New settings and UI are now glued together. Oh well, I don't keep that open in a browser tab so no biggie.
I can always do a dpkg -P unifi and restore the 5.0.x if it all goes south.
I had turned off my Unifi stuff a couple of weeks ago and put up my Ruckus APs. I've now taken them down so I can take them to our new place next week and put the Unifi stuff back up.
I currently have 3 SSIDs. One for "home" devices that use enterprise and Radius assigned vlan. One for "other" devices that use psk and MAC based Radius assigned vlan. And my guest network. The only device on my "home" network that can't use WPA3 is a HD (gen4) Apple TV. I'll just put that on the "other", psk, network. So I'll be able to use WPA3-Enterprise on that home network and just leave´the others alone.
I suppose I could just go WPA3/WPA2 psk and get rid of that enterprise network and be down to two SSIDs... It's good to have choices.
Sorry if this is a bit disjointed. Slept in late and only one cup of coffee.
John
-
I have not been able to get wpa3-enterprise to show up on device - iphone.. Which I know supports wpa3, since it works via wpa3-psk.
From what I can tell really wpa3 enterprise doesn't get you much unless you use 192 encryption.. But can not enable that via my AP Pro, Lite and LR - seems that is only supported on gen 3 AP.. so you would need HD APs
I tried setting freerad to cipher AES256-SHA256 since I believe you need to be using min AES128 for wpa3 enterprise..
I set wpa3 enabled and required PMF - but iphone is still just showing wpa2 enterprise..
Yeah the only 3 devices on eap-tls network are 2 iphones an an ipad.. and laptop - but the laptop prob doesn't support wpa3 anyway. And right now its my work laptop and I just have it wired since started working from home full time.
wpa2-ent is more then secure enough anyway.. But it would be nice if could get it doing wpa3-ent.. I guess I could just move to wpa3-personal, and forget all the eap-tls and freerad stuff..
I for sure need to do some research on the difference between wpa2-ent and wpa3-personal.. I am really not finding all that much from a security point of view, especially if your using PMF required on your wpa2-ent setup..
edit: BTW this and that little issue with the freerad package and users gets me to thinking I need to get eapol_test running on something. But I really don't have anything that supports wpa3 I could run it on anyway.. So it wouldn't help me with this little issue - but it would be simple way to figure out the ciphers being used.. I changed the cipher_list from default to HIGH, and then even just called out AES256-SHA256 by editing freeradius.inc - since couldn't find a way to edit that in the freerad gui..
-
@johnpoz OK, thanks. Saved me some time and head scratching. All of my "home" devices are iPhones, iPads and MacBooks.
I have two nanoHDs and a AC-Pro, so that one generation 2 AP would be an issue.
Maybe I'll just do nothing. ;) More coffee required.
At some point I'd love to pick your brain about using a L2/L3 switch and the topology. That's for another day after I've gone to school on the subject so as to not look like a dummy ;)
Thanks again!
-
Yeah sure - happy to help... Take a look at my edit if you missed it.. Do you have eapol_test running on anything. I guess you have to compile it yourself from wpasupplicant.. I wasn't able to find a binary.. I can sure fire it up on VM I would think..
Wonder if that would be something useful to add when you add the freerad package, you can test basic connectivity with radtest, but you can not really test eap-tls with that.
-
@johnpoz I don't.
I also haven't gone through my radius conf in any serious way. I think that is a good activity for me today. Maybe I should put up a freerad server in a VM and go through it all by hand, take the GUI out of it and actually learn the concepts and config. Make a setting, google google google. Rinse and Repeat... ;)
-
Same here ;) It just worked really out of the box.. clicky clicky ;)
Guess that is part of the reason I didn't notice that you really should have to have a user created - hehehe but I didn't and eap-tls was working..
If no user to match the CN - wtf was it checking the user against ;) doh!
-
I guess I'll start at the basics. Unwind any misconceptions before moving forward.
https://networkradius.com/doc/FreeRADIUS%20Technical%20Guide.pdf
-
Just updated my UAP-AC-Pro's to 5.53.1.12737 which showed up available this morning.
Just FYI for those looking. I assume one would need this for WPA3 capabilities..
-
The previous firmware supported it, 5.53.1 was just putting them all on the same version again for the different gens of their AP.
-
There was a bug in the previous version..
Some printers were not connecting with WPA2/WPA3 transitional - PMF optional..Now it's fixed.. So you can have WPA2 only devices connected to a WPA3 BSSID without problems now.. At least nanoHD.. I guess this release is going to be an official release
-
BTW, I finally solved the wrong date/time in the controller.
Thanks to an user in the Ubnt forum, found out that the controller is not using the system time, it's using the Java time, which is outdated..
In case you are facing this problem in the controller, follows below how to fix:
Update JAVA TZ time Java SE Timezone Updater 2.3.2 https://www.oracle.com/java/technologies/javase-tzupdater-downloads.html java -jar tzupdater.jar --version sudo systemctl stop unifi.service sudo java -jar tzupdater.jar -l java -jar tzupdater.jar --version sudo systemctl start unifi.service -
Did you manage to get WPA3 Personal working with a NanoHD or FlexHD? I just updated my controller to 6.1.54 and am struggling to get it working with a Macbook. I tried enabling it but the Macbook didn't seem to make a WPA3 connection. I read this thread which was a bit over my head, but the impression I got is that with MTK models like NanoHD/FlexHD WPA3 may not be working???
BTW I figure you must know but just in case any reading this doesn't.... re: seeing if clients are using WPA2/WPA3.... on Mac you can just option-click the WiFi menubar icon and it'll tell you all the connection info.
-
@occamsrazor It works "fine" on a nanoHD. The issue, as pointed out, is clients that do not support WPA3. In my case it's around clients that do not support PMFs that are required with WPA3-Enterprise.
As to the status on a MacOS, there is a bug (I reported it) that if a you connect WPA2-Enterprise with mandatory PMF the Mac will indicate it's a WPA3-Enterprise connection in error.
To me, this is a question of what do you really want or require. Meaning does WPA3 buy you anything that is worth the effort. You'll have to answer that for yourself. Any weakness is only a potential problem once some client is authenticated on a WLAN. My home network is not a zero trust network (IoT devices are walled off and given Internet access only via a WLAN just for them) so it's not a big deal to me.
I want to encourage anyone who is thinking about updating their controller to the 6.1.x train be absolutely sure you have a fallback plan. Backup your Unifi config and know how to downgrade the controller.
-
I has helping Glenn to fix this problem:
https://community.ui.com/questions/Samsung-printer-connectivity-issue/e9b782b9-a40b-48cb-b43c-0b0d35716f0e
He asked me to test a firmware in the nanoHD, and with it I was able to connect my printers to the WPA2/WPA3 transitional BSSID, with PMF optional.
My Galaxy S10 detects the network as a WPA2/WPA3 network, but I didn't perform packet captures to confirm if my phone is indeed using the WPA3..
Try to "forget" the network in the Macbook, and connect again.
More info about it in this topic:https://community.ui.com/releases/UniFi-Network-Controller-6-1-51/9124593a-1d5e-40f1-a3a7-ab62862e1fce#comment/d6af6798-d8dd-4ecf-8399-05e2cd487409
-
@jwj said in WPA3 via Unifi APs:
To me, this is a question of what do you really want or require. Meaning does WPA3 buy you anything that is worth the effort. You'll have to answer that for yourself.
I really have no need for WPA3 in terms of security, I just like to try new things and understand how they do, or don't work. I was interested by improvements in roaming supposedly in WPA3, though the WPA3 specific fast-roaming seems unsupported by NanoHD at least at this time.
@mcury said in WPA3 via Unifi APs:
He asked me to test a firmware in the nanoHD, and with it I was able to connect my printers to the WPA2/WPA3 transitional BSSID, with PMF optional.
Do you mean it's only working in a non-public firmware? My NanoHDs are on 5.53.1.12737
@mcury said in WPA3 via Unifi APs:
Try to "forget" the network in the Macbook, and connect again.
I just tried that but it didn't seem to help, Mac menubar and Wifi settings still report it as WPA2-PSK only. Is there a minimum MacOS for WPA3? My Macbook is still running Mojave 10.14.6....
My Wireless Networks settings are:
Security: WPA Personal
WPA3: Support WPA3 connections
WPA3 Transition Mode: Support WPA2 connections on same SSID
Fast Roaming: Enable fast roaming
WPA3 specific Fast Roaming: OFF (If I enable it says my NanoHDs do not support this feature)
PMF: OptionalI notice that the "WPA Mode" setting directly beneath the PMF setting is greyed out (unselectable) and says "WPA2 only"
-
@occamsrazor said in WPA3 via Unifi APs:
Do you mean it's only working in a non-public firmware? My NanoHDs are on 5.53.1.12737
The FW 5.53.1 probably has the fixes present in the non-public firmware, so it should be working for you. At least my printers are connecting with this firmware, no confirmation from Ubnt that indeed the fixes are present in it.. It's woking so I'm making an assumption that it's present.
I just tried that but it didn't seem to help, Mac menubar and Wifi settings still report it as WPA2-PSK only. Is there a minimum MacOS for WPA3? My Macbook is still running Mojave 10.14.6....
I don't think so, you see, WPA2/WPA3 transitional with PMF optional, should be fully compatible with WPA2 only devices, if this problem is happening to you, report it asap so they can fix it in the next release.
My Wireless Networks settings are:
Security: WPA Personal
WPA3: Support WPA3 connections
WPA3 Transition Mode: Support WPA2 connections on same SSID
Fast Roaming: Enable fast roaming
WPA3 specific Fast Roaming: OFF (If I enable it says my NanoHDs do not support this feature)
PMF: OptionalI tested using the same settings..
-
@mcury said in WPA3 via Unifi APs:
I don't think so, you see, WPA2/WPA3 transitional with PMF optional, should be fully compatible with WPA2 only devices, if this problem is happening to you, report it asap so they can fix it in the next release.
I may have been confusing. With Unifi set to WPA3 Transition the MacBook still did connect fine, only at WPA2 not WPA3.
According to this article WPA3 support was only introduced in Catalina, not Mojave, so that explains it..."Try to manually join a Wi-Fi network in Catalina on many Macs and you’ll see that WPA3, the new Wi-Fi encryption protocol, has joined the (still default WPA2) and the (old, insecure) WEP and WPA as a security option.
But unlike iOS 13 and iPadOS 13, which support WPA3 universally across all supported devices, not every Catalina Mac can use WPA3. Older 2012-era Macs with 802.11n adapters still top out at WPA2."
https://arstechnica.com/gadgets/2019/10/macos-10-15-catalina-the-ars-technica-review/12/I just tried with my new M1 Mac Mini running Big Sur (which only usually ever uses ethernet) and it connected immediately on WPA3 without even needing to forget the network... so seems it is the lack of WPA3 connection is just because Mojave does not support.
It's a shame Unifi doesn't expose the WPA version in the Clients list. I can't install that developer profile on my iPhone as it's a company-owned phone.
-
@occamsrazor said in WPA3 via Unifi APs:
It's a shame Unifi doesn't expose the WPA version in the Clients list. I can't install that developer profile on my iPhone as it's a company-owned phone.
Exactly, people are asking for this feature.. Controller should be providing this info in the clients list...
-
@mcury said in WPA3 via Unifi APs:
Exactly, people are asking for this feature.. Controller should be providing this info in the clients list...
Not sure if there was a request already, searching that forum is so hard, but I created a new one:
-
@occamsrazor said in WPA3 via Unifi APs:
It's a shame Unifi doesn't expose the WPA version in the Clients list.
Not holding my breath.
-
@occamsrazor I up-voted your post on the Ubiquiti forum linked above. Others should do the same if they want Ubiquiti to even notice that it exists.
-
@johnpoz said in WPA3 via Unifi APs:
The previous firmware supported it, 5.53.1 was just putting them all on the same version again for the different gens of their AP.
4.3.28.11361 ?? Reason I ask is because non of my devices connected with WPA3 until I upgraded to the later firmware.
-
What AP are you using?
As you could see I was using old 5.43.24 firmware and was getting wpa3 personal on my iphone.. When connected to ssid set for personal wpa2/3 But that was on pro, lite and lr models - not flex or nano. A enterprise ssid was still showing wpa2-enterprise
They had released a .27 and a .28, but for the pro,lite and lr line, etc. When they jumped to 5.53 - they are all listed on the same firmware version.
edit: I upvoted your post over on the unifi forums as well - its just moronic that what a client is connected at be it wpa2 or 3 is not on the controller.. Installing the profile is a pita, and its only good for like 30 days even. stupid why that needs a specific profile to be given to the user.. Great info there should just be default.. Actual signal strength, specific bssid connected to, etc.
edit: So with the latest firmware 5.53.1.12737, looks like showing that connected with wpa3-enterprise
I had bumped my sons on his flexHD to wpa2/3 personal.. But he had a problem with one of his roku sticks. I will have to try moving back to wpa3, see if I can even just turn off wpa2.. But I doubt some of his stuff, tv and rokus support 3, so will prob have to leave it in transition mode.
-
This post is deleted!
